Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


CentOS 6 - OpenLDAP 2.4 server with TLS

This guide will install OpenLDAP with TLS. Tested on CentOS 6.5 minimal install.

Note: Please see my updated CentOS7 guide

Configure iptables

  • Edit /etc/sysconfig/iptables. The example below will insert the rules on line 6 and 7, then saves the ruleset to make it persistent across reboots.
iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -m comment --comment LDAP
iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -m comment --comment LDAPS

service iptables save

Install OpenLDAP 2.4

Install packages

yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-servers openldap openldap-devel

Configure SSL certificates

Put your CA root certificate, server certificate and private key in the directories below.

/etc/openldap/certs/cacert.pem #CA root certificate
/etc/openldap/certs/server.key #private key
/etc/openldap/certs/server.crt #server certificate


vi /etc/sysconfig/ldap

Use DB config example

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Set permissons

chown -Rf ldap:ldap /var/lib/ldap

Set LDAP root password

New password: <password>
Re-enter new password: <password>

Change default DN

vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: <your DN>

To enable password change from users, append the next lines after the last olcDbIndex line in the same file.

olcAccess: to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,<your DN>" write
       by * none
olcAccess: to *
       by self write
       by dn.base="cn=Manager,<your DN>" write
       by * read

Set root password, last line of same file file:

olcRootPW: {SSHA}<hash>

Correct the DN in olcDatabase={1}monitor.ldif

vi olcDatabase={1}monitor.ldif
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=manager,<your DN>" read  by * none

Test server config and start

slaptest -u
service slapd start
chkconfig slapd on

Configure as client

[*] Use LDAP
[*] Use Shadow passwords
[*] Use LDAP Authentication
[*] Local authorization is sufficient

[*] Use TLS
Server: ldaps://<server:636>
Base DN: <your DN>


ldapsearch -x -b "dc=localdomain,dc=com"

Output: search: 2

Test TLS:

ldapsearch -x -b "dc=localdomain,dc=com" -ZZ

Output: search: 3

Configure LDAP server

Configure base domain

# ldapadd -x -W -D "cn=Manager,<your DN>" -f base.ldif

dn: <your DN>
dc: <your org name>
objectClass: top
objectClass: domain

dn: ou=People,<your DN>
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,<your DN>
ou: Group
objectClass: top
objectClass: organizationalUnit

Create posix user

# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_user.ldif
# set password
# ldappasswd -s newpassword -D "cn=Manager,<your DN>" -W -x uid=ben,ou=People,<your DN>

dn: uid=username,ou=People,<your DN>
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: User Name
uid: username
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/username
loginShell: /bin/bash
gecos: User Name
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Create posix group

# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_group.ldif

dn: cn=ben,ou=Group,<your DN>
objectClass: top
objectClass: posixGroup
cn: username
gidNumber: 3000
openldap_server_with_tls_centos_6.5.txt · Last modified: 2021/10/09 15:14 by